Sunday 9 October 2011

Android.Spitmo C&C

The 13 September, Ayelet Heyman of Trusteer blogged about the first SpyEye Attack on Android.
The sample "simseg.apk", was not really hard to find.




I'm not really good at Android reversing (and I even don't have a mobile phone in real life :þ)
So, i've read some posts about how this malware work :)

I retained two important things when it return informations:
- Data are sent with GET request.
- The C&C have no login form.

Now, more recently when SpyEye 1.3.48 was released, EP_X0FF have found a sample.


By brute forcing folders on the SpyEye 1.3.48 server i've found the same C&C described on Trusteer.

Exactly the same C&C there is even the 'call tests' made by Trusteer guys:


There is nothing to do for exploit the C&C, the php code is really poor.
But due to the presence of the SpyEye C&C, it was possible to dump the stuff.
(Once again found by brute force and a little common sense)

The guys seem use a legit version of SpyEye, ok cool but he don't know shit's about panels.


Server do many timeouts, 815 bots who call the gate and that already hangs like hell ^_-


Folder /sms/:






gate.php:

SQL dump (made by me):

Even found the same "simseg.apk" sample on the server, accompanied with SpyEye stuff, gates, twitter/mails spammers...





 Contrary to Μ Ayelet Heyman, I don't think Spitmo will have a future (more probable variants writen by others guys, based on simseg.apk)
Spitmo is weak and the guys who use it is clearly not a professional.


Improved... well.

No comments:

Post a Comment